[ https://issues.apache.org/jira/browse/FOP-2812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16596325#comment-16596325 ]
simon steiner commented on FOP-2812: ------------------------------------ Depends on https://issues.apache.org/jira/browse/PDFBOX-4303 > pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be > upgraded to 2.0.11 > ---------------------------------------------------------------------------------------------- > > Key: FOP-2812 > URL: https://issues.apache.org/jira/browse/FOP-2812 > Project: FOP > Issue Type: Bug > Components: unqualified > Affects Versions: 2.3 > Reporter: Deodatta Marathe > Assignee: simon steiner > Priority: Major > > Description from CVE > In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted > (or fuzzed) file can trigger an infinite loop which leads to an out of memory > exception in Apache PDFBox's AFMParser. > Explanation > The Apache PDFBox is vulnerable to Uncontrolled Resource Consumption > ('Resource Exhaustion'). A successful exploit could trigger an infinite loop > scenario that may lead to an out-of-memory exception in the AFMParser > component, resulting in a DoS condition. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > AFMParser.class : [2.0.0-RC1, 2.0.11) -- This message was sent by Atlassian JIRA (v7.6.3#76005)